Hi all, I am getting an error when I try to make an sdk connection (such as a console) from a remote network. everything is running R2 CU1. This is the scenario: RMS sits on Network A. Local console and a few agents seem to be working fine. GW1 sits on network B. local agents are connecting fine These networks are firewalled to mimic completely segregated networks separated by the internet. Traffic coming out of network b is NATed to a specific address. (ie, the GW server is, say, 172.16.100.101 but the traffic leaving the network b firewall looks like it is coming from 172.16.254.20) Traffic coming into Network A is also natted. (ie traffic hitting 172.16.254.10 is rerouted to an internal IP of 172.16.10.101 which is the RMS) This in a lab and I have currently opened all ports coming from the network B natted address to the natted RMS network A address. I have installed a console on gw1 and I cannot get the console to connect. Well, it connects and I can see in tcpview it holds the connection. I can see in netmon that it passes some SSL traffic. I know it is passing some data b/c if I mistype a password it tells me that user does not have permissions. If I type a password correctly, however, i get the below error. I am running out of ideas here, please help. Thanks Date: 5/27/2010 7:20:36 AM Application: System Center Operations Manager 2007 R2 Application Version: 6.1.7221.0 Severity: Error Message: Failed to connect to server 'RMSServer' Microsoft.EnterpriseManagement.Common.ServerDisconnectedException: The client has been disconnected from the server. Please call ManagementGroup.Reconnect() to reestablish the connection. ---> System.ServiceModel.CommunicationException: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.EnterpriseManagement.Common.ISessionManager.Connect(Boolean useCache) at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateChannel(TieredManagementGroupConnectionSettings managementGroupTier) --- End of inner exception stack trace --- at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.HandleIndigoExceptions(Exception ex) at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateChannel(TieredManagementGroupConnectionSettings managementGroupTier) at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer..ctor(DuplexChannelFactory`1 channelFactory, TieredManagementGroupConnectionSettings managementGroupTier, IClientDataAccess callback, CacheMode cacheMode) at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateEndpoint(ManagementGroupConnectionSettings connectionSettings, IClientDataAccess clientCallback) at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.Connect(ManagementGroupConnectionSettings connectionSettings) at Microsoft.EnterpriseManagement.ManagementGroup..ctor(ManagementGroupConnectionSettings connectionSettings) at Microsoft.EnterpriseManagement.ManagementGroup.Connect(ManagementGroupConnectionSettings connectionSettings) at Microsoft.EnterpriseManagement.Mom.Internal.UI.Common.ManagementGroupSessionManager.Connect(String server, String username, SecureString password, String domain) at Microsoft.EnterpriseManagement.Mom.Internal.UI.Console.ConsoleWindowBase.ConnectWithCredentials(Exception ex, ConsoleJobEventArgs args) System.ServiceModel.CommunicationException: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.EnterpriseManagement.Common.ISessionManager.Connect(Boolean useCache) at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateChannel(TieredManagementGroupConnectionSettings managementGroupTier)

The error says that the console cannot connect to the server named RMSServer. Try pinging RMSServer from the host you are running the console from. That will tell you if you can even connect to it. Then, consider whether domain credentials from network A are trusted by Network B (or vice versa). If no trust, or no trusted credentials provided, no connecton for you. Try connecting to the SQL server the RMS uses (with Query Analyzer) from the same host you are running the client from. That will tell you if there is any other pathing problem. Until you can get a connection, you have a network problem :)Microsoft Corporation

I can't ping through these firewalls but I can establish a tcp (telnet) connection to port 5723 and 5724 (as well as any other ports the RMS is listening on. ) There is no trust between the networks. I am launching the console in network b as a domain b user. When i try to connect, I am prompted for credentials. I am providing domain credentials for an opsmgr admin on domain A. I think the credentials are ok b/c if I provide bad credentials or credentials that are only good on domain B I get a permissions error. I only get the above when I provide valid domain A credentials. the SQL server is on a different host than the rms but if I connect to port 80 on the RMS, i get valid http back. I don't think it is a network or port issue unless NATing is the problem. Is it possible that SCOM has problems w/ NATed connections?

If your natting is done right, SCOM can't know it is there. you may want to double check that all of the ports that need to be open are open. Since you are getting the challenge/response, you are making part of the connection. Microsoft Corporation

currently, all the ports are open. that said, according to what I have read, we should only need 5723 and 5724 (client and sdk) to be open, right? I have specifically tested both of those ports. everything else works as expected (including gateway traffic) so I think the natting is working correctly. as far as authentication, i have a question about another scenario. if I install a console on a machine in a workgroup, should I be able to connect to the rms? I imagine I would be prompted for credentials as I am now. Would I expect the authentication to work between a machine on a workgroup and my rms on a domain? If that scenario should work, shouldn't I expect this scenario to work? I appreciate any suggestions, I am running out of test avenues to figure this out. thanks

I hate computers. B) time sync wasn't working in my lab domains and this was killing schannel. I should have realized this one sooner. Anytime you have a time drift of (by default) 10 mins between computers, the windows crypto libraries throw an error. I have successfully connected.

hmm, that's a rather odd one.

It solve my problem, thanks.